docs: book: update minijail and seccomp docs

- Fix the links to point to the current chromiumos repositories.
- Delete a weird preachy sentence about language choice.
- Update the location of the jail helpers source file and add a link.
- Add a paragraph about the policy BPF build process.

Change-Id: I43791eefb619e4c2cac6bb994d31ee95f5725ad0
Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/4574299
Reviewed-by: Shin Kawamura <kawasin@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org>

docs/book/src/appendix/minijail.md

@@ -2,13 +2,11 @@
 
 On Linux hosts, crosvm uses [minijail](https://google.github.io/minijail/) to sandbox the child
 devices. The minijail C library is utilized via a
-[Rust wrapper](https://android.googlesource.com/platform/external/minijail/+/refs/heads/master/rust/minijail/src/lib.rs)
+[Rust wrapper](https://chromium.googlesource.com/chromiumos/platform/minijail/+/refs/heads/main/rust/minijail/src/lib.rs)
 so as not to repeat the intricate sequence of syscalls used to make a secure isolated child process.
-The fact that minijail was written, maintained, and continuously tested by a professional security
-team more than makes up for its being written in an memory unsafe language.
 
 The exact configuration of the sandbox varies by device, but they are mostly alike. See
-`create_base_minijail` from `linux/jail_helpers.rs`. The set of security constraints explicitly used
+[`create_base_minijail`] from `jail/src/helpers.rs`. The set of security constraints explicitly used
 in crosvm are:
 
 - PID Namespace
@@ -23,3 +21,5 @@ in crosvm are:
 - [PR_SET_NO_NEW_PRIVS](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)
 - [seccomp](seccomp.html) with optional log failure mode
 - Limit to number of file descriptors
+
+[`create_base_minijail`]: https://crosvm.dev/doc/jail/fn.create_base_minijail.html

docs/book/src/appendix/seccomp.md

@@ -6,12 +6,18 @@ the BPF programs, crosvm uses minijail's policy file format. A policy file is wr
 device per architecture. Each device requires a unique set of syscalls to accomplish their function
 and each architecture has slightly different naming for similar syscalls. The ChromeOS docs have a
 useful
-[listing of syscalls](https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md).
+[listing of syscalls](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/constants/syscalls.md).
+
+The seccomp policies are compiled from `.policy` source files into BPF bytecode by
+[`jail/build.rs`](https://chromium.googlesource.com/crosvm/crosvm/+/refs/heads/main/jail/build.rs)
+and embedded in the crosvm executable, so it is not necessary to install the seccomp policy files,
+only the crosvm binary itself. Be sure to remember to rebuild crosvm after changing a policy file to
+observe the updated behavior.
 
 ## Writing a Policy for crosvm
 
 The detailed rules for naming policy files can be found in
-[seccomp/README.md](https://chromium.googlesource.com/crosvm/crosvm/+/refs/heads/main/seccomp/README.md)
+[jail/seccomp/README.md](https://chromium.googlesource.com/crosvm/crosvm/+/refs/heads/main/jail/seccomp/README.md)
 
 Most policy files will include the `common_device.policy` from a given architecture using this
 directive near the top: